Improper Privilege Management in CloudStack Quota Plugin by Apache
CVE-2025-22829

2.3LOW

Key Information:

Vendor

Apache
Status
Apache Cloudstack
Vendor
CVE Published:
10 June 2025

What is CVE-2025-22829?

The CloudStack Quota plugin in version 4.20.0.0 contains a vulnerability due to improper privilege management. This flaw allows any authenticated user with access to specified APIs to manipulate quota-related email settings for any account within the environment. Specifically, users can enable or disable the reception of these emails and view the respective configurations. Users of the CloudStack 4.20.0.0 version are strongly advised to upgrade to version 4.20.1.0 to mitigate this security issue.

Affected Version(s)

Apache CloudStack 4.20.0.0 < 4.20.1.0

References

https://cloudstack.staged.apache.org/blog/cve-advisories-...
vendor-advisory
https://www.shapeblue.com/shapeblue-security-advisory-apa...
third-party-advisory
https://lists.apache.org/thread/y3qnwn59t8qggtdohv7k7vw39...
mailing-list

CVSS V4

Score:
2.3
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

.